b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                           Improvements Are Needed to\n                          Ensure the Effectiveness of the\n                       Privacy Impact Assessment Process\n\n\n\n                                        February 27, 2013\n\n                              Reference Number: 2013-20-023\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.treasury.gov/tigta\n\x0c                                                   HIGHLIGHTS\n\n\nIMPROVEMENTS ARE NEEDED TO                            more efficient and less time-consuming way.\nENSURE THE EFFECTIVENESS OF THE                       However, several key processes were not\nPRIVACY IMPACT ASSESSMENT                             effectively automated. For example, privacy\nPROCESS                                               analysts must view numerous individual screens\n                                                      rather than scrolling through the information\n                                                      seamlessly, responses in the system are not\nHighlights                                            grouped by topic or subject matter, and the\n                                                      automated e-mail notification function is not\n                                                      consistent.\nFinal Report issued on\nFebruary 27, 2013                                     WHAT TIGTA RECOMMENDED\n\nHighlights of Reference Number: 2013-20-023           TIGTA made 11 recommendations to the\nto the Internal Revenue Service Director,             Director, Privacy, Governmental Liaison, and\nPrivacy, Governmental Liaison, and Disclosure.        Disclosure, that included the following:\n                                                      1) establish an annual reconciliation of PIA\nIMPACT ON TAXPAYERS                                   inventories with information systems and\n                                                      collections of information in the current\nThe Privacy Impact Assessment (PIA) process           production environment; 2) document and\nexamines the risks and ramifications of using         publicize the customer survey PIA completion\ninformation technology to collect, maintain, and      process; 3) establish a PIA inventory control\ndisseminate information in identifiable form          process to identify and review systems every\nabout members of the public and agency                three years as required; 4) automate the\nemployees. The IRS recognizes that privacy            notification process to alert responsible officials\nprotection is both a personal and fundamental         when new or existing PIAs are required to be\nright of all taxpayers and employees.                 posted to the IRS public website; and 5) ensure\nWHY TIGTA DID THE AUDIT                               that current and complete standard operating\n                                                      procedures are established and maintained for\nThis audit was initiated at the request of the IRS    all PIA processes. TIGTA also recommended\nto evaluate its implementation of the privacy         that IRS officials who develop third-party website\nprovisions of the E-Government Act of 2002,           information be directed to submit website\nwhich requires agencies to conduct PIAs. In           proposal details and approval requests to the\naddition, the Consolidated Appropriations Act         IRS New Media Governance Council and\nof 2005, Section 522, requires the Inspector          coordinate with website owners to post a link to\nGeneral of each agency to evaluate privacy and        the IRS privacy policy on these third-party\ndata protection procedures. This review was           websites.\npart of our statutory requirements to annually\nreview the adequacy and security of IRS               The IRS agreed with nine of the\ntechnology and addresses the major                    recommendations but indicated that it had\nmanagement challenge of Security for Taxpayer         already implemented two recommendations by\nData and Employees.                                   overhauling the PIAMS template and involving\n                                                      privacy analysts and other users in requirements\nWHAT TIGTA FOUND                                      gathering and testing of PIAMS functionality.\n                                                      TIGTA did not see evidence of these corrective\nThe IRS has not established effective processes       actions and continues to believe that the PIAMS\nto ensure that the PIAs are completed timely,         version, at the time of our review, could be\nupdated, and made publicly available and that         improved to effectively automate the key privacy\nprivacy policies are posted on public websites        impact assessment processes.\nfor all required systems and collections of\ninformation. Further, in December 2011, the\nIRS implemented the Privacy Impact\nAssessment Management System (PIAMS) to\nautomate the process of completing PIAs in a\n\x0c                                                   DEPARTMENT OF THE TREASURY\n                                                          WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                  February 27, 2013\n\n\n MEMORANDUM FOR DIRECTOR, PRIVACY, GOVERNMENTAL LIAISON, AND\n                DISCLOSURE\n\n\n FROM:                           Michael E. McKenney\n                                 Acting Deputy Inspector General for Audit\n\n SUBJECT:                        Final Audit Report \xe2\x80\x93 Improvements Are Needed to Ensure the\n                                 Effectiveness of the Privacy Impact Assessment Process\n                                 (Audit # 201220009)\n\n This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s (IRS)\n implementation of the privacy provisions of the E-Government Act of 2002.1 This review was\n included in the Treasury Inspector General for Tax Administration\xe2\x80\x99s Fiscal Year 2012 Annual\n Audit Plan and addresses the major management challenge of Security for Taxpayer Data and\n Employees. The IRS requested we conduct this review.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. If you have any questions, please contact me or Alan R. Duncan, Assistant\n Inspector General for Audit (Security and Information Technology Services).\n\n\n\n\n 1\n     Pub. L. No. 107-347, \xc2\xa7 208, 116 Stat. 2899 (2002).\n\x0c                                   Improvements Are Needed to Ensure the\n                           Effectiveness of the Privacy Impact Assessment Process\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 3\n          Improvements Are Needed to Fully Address the Privacy\n          Provisions of the E-Government Act of 2002............................................... Page 3\n                    Recommendations 1 and 2: .............................................. Page 7\n\n                    Recommendations 3 through 6:......................................... Page 8\n\n                    Recommendations 7 and 8: .............................................. Page 10\n\n                    Recommendation 9:........................................................ Page 11\n\n          The Privacy Impact Assessment Management System\n          Does Not Effectively Automate Key Privacy Impact\n          Assessment Processes ................................................................................... Page 12\n                    Recommendation 10: ...................................................... Page 13\n\n                    Recommendation 11: ...................................................... Page 14\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 15\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 18\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 19\n          Appendix IV \xe2\x80\x93 Glossary of Terms ................................................................ Page 20\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ....................... Page 23\n\x0c                Improvements Are Needed to Ensure the\n        Effectiveness of the Privacy Impact Assessment Process\n\n\n\n\n                    Abbreviations\n\nIRS           Internal Revenue Service\nOMB           Office of Management and Budget\nPGLD          Privacy, Governmental Liaison, and Disclosure\nPIA           Privacy Impact Assessment\nPIAMS         Privacy Impact Assessment Management System\nPII           Personally Identifiable Information\nTIGTA         Treasury Inspector General for Tax Administration\n\x0c                               Improvements Are Needed to Ensure the\n                       Effectiveness of the Privacy Impact Assessment Process\n\n\n\n\n                                            Background\n\nWithin the Federal Government, privacy is defined as an individual\xe2\x80\x99s expectation that his or her\npersonal information collected for official Government business will be protected from\nunauthorized use and access. From a legislative perspective, the topic of privacy is governed by\nseveral laws.\n    \xef\x82\xb7   The Privacy Act of 19741 regulates what personal information the Federal Government\n        can collect about private individuals and how that information can be used.\n    \xef\x82\xb7   The E-Government Act of 20022 provides additional protection for personal information\n        by requiring agencies to conduct Privacy Impact Assessments (PIA).3 The PIA is a\n        process for examining the risks and ramifications of using information technology to\n        collect, maintain, and disseminate information about members of the public and agency\n        employees.\n    \xef\x82\xb7   The Consolidated Appropriations Act of 2005, Section 522,4 requires each agency to\n        establish a Chief Privacy Officer who assumes the responsibility for privacy and data\n        protection policy. This legislation also requires the Inspector General of each agency to\n        evaluate the agency\xe2\x80\x99s use of information in identifiable form and the privacy and data\n        protection procedures of the agency.\nPrivacy laws have significant ramifications for the Internal Revenue Service (IRS) because of its\ninteractions with potentially every household in the United States. During Fiscal Year 2011, the\nIRS processed 143 million tax returns from individuals. The IRS processes and maintains\nsensitive information from these tax returns in computer systems for use by IRS employees to\nperform various jobs as administrators of the Internal Revenue Code.\nWithin the IRS, the Privacy, Governmental Liaison, and Disclosure (PGLD) organization has\noverall responsibility for privacy issues. The Privacy and Information Protection office, which is\none of five offices under the PGLD organization, promotes the protection of individual privacy\nand integrates privacy into business practices, behaviors, and technology solutions. The specific\ngroup responsible for oversight of the PIA processes is the Privacy Compliance office.\nBeginning in December 2011, the IRS required business owners to submit all new PIAs through\nthe new Privacy Impact Assessment Management System (PIAMS). The PIAMS is a series of\n\n\n1\n  5 U.S.C. \xc2\xa7 552a (a)(5) (1974).\n2\n  Pub. L. No. 107-347, \xc2\xa7 208, 116 Stat. 2899 (2002).\n3\n  See Appendix IV for a glossary of terms.\n4\n  Pub. L. No. 108-447, 118 Stat. 2813, 5 U.S.C. \xc2\xa7 522a (2004).\n                                                                                            Page 1\n\x0c                                Improvements Are Needed to Ensure the\n                        Effectiveness of the Privacy Impact Assessment Process\n\n\n\nweb pages that allow IRS employees to input required PIAs online. It provides Privacy and\nInformation Protection subject matter experts with the capability to perform their quality review\nof the assessments in an automated system. The PIAMS allows business owners and developers\nto enter their PIAs early in the development stage. Further, business owners of legacy systems\nare also required to submit their PIAs into the same system.\nDuring our annual audit planning efforts for Fiscal Year 2012, the IRS requested that the\nTreasury Inspector General for Tax Administration (TIGTA) conduct a review of the IRS PIA\nprocess to ensure it meets requirements set forth by the Office of Management and Budget\n(OMB).5 As part of the E-Government Act of 2002, the OMB requires agencies to: 1) conduct\nPIAs for information systems and collections and, in general, make them publicly available;\n2) post privacy policies on agency websites used by the public; 3) translate privacy policies into\na standard computer language to enable web browser readability; and 4) report annually to the\nOMB regarding compliance.\nTIGTA previously issued an audit report in September 2006 on the IRS\xe2\x80\x99s Office of Privacy6 and\nfound that the IRS was not complying with legislative privacy requirements. Specifically, we\nreported that the IRS can take further actions to ensure that PIAs have been conducted for all\nsystems and applications that collect personal information and to enhance its processes to better\nmonitor compliance with privacy policy and procedures. In addition, the PIAs were not always\nconsistently conducted, and review results were not always properly documented. Lastly, the\nOffice of Privacy did not conduct any compliance reviews on existing PIAs.\nThis review was performed at the IRS PGLD organization offices in Washington, D.C., and\nNew Carrollton, Maryland. We performed the review during the period March through\nSeptember 2012. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n5\n  OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act\nof 2002, Public Law 107-347 (Sept. 2003). This guidance applies to all executive branch departments and agencies\nand their contractors that use information technology or operate websites for purposes of interacting with the public.\n6\n  TIGTA, Ref. No. 2006-20-166, The Monitoring of Privacy Over Taxpayer Data Is Improving, Although\nEnhancements Can Be Made to Ensure Compliance With Privacy Requirements (Sept. 2006).\n                                                                                                              Page 2\n\x0c                            Improvements Are Needed to Ensure the\n                    Effectiveness of the Privacy Impact Assessment Process\n\n\n\n\n                                 Results of Review\n\nImprovements Are Needed to Fully Address the Privacy Provisions of\nthe E-Government Act of 2002\nThe IRS has emphasized privacy as an agency priority. One of the strategic foundations cited in\nthe IRS Strategic Plan 2009\xe2\x80\x932013 is to ensure the privacy and security of data and safety and\nsecurity of employees. For this objective, the plan states:\n       Taxpayers are legally obligated to report information to the IRS, and we are obligated to\n       protect that information. With increasing amounts of data processed, we will redouble\n       our efforts to detect and prevent security threats. By securing infrastructure, data, and\n       applications, we will manage access to taxpayer information so that we may provide\n       quality and timely service while protecting taxpayers\xe2\x80\x99 information.\nOne of the strategies the IRS identifies for this objective is to promote public confidence and\ntrust through the prevention and detection of security threats and the protection of Personally\nIdentifiable Information (PII).\nDuring our review, we found that the Privacy Compliance office analysts effectively conducted\nin-depth quality reviews of completed PIAs submitted by system and program owners. From a\npopulation of 202 available PIAs completed in Fiscal Years 2011 and 2012, we reviewed\n27 hardcopy PIAs and 20 online PIAs from the PIAMS and found that all PIAs contained the\nrequired information, such as an analysis of how PII is processed by the system and a description\nof how security risks are mitigated. Further, the Privacy and Information Protection office\ncomplied with the updated privacy reporting requirements by preparing and submitting required\nreports to the Department of the Treasury.\nDespite its commitment toward privacy and improvements from our prior review, the IRS\ncontinues to face challenges in meeting legislative privacy requirements. Specifically, we found\nthat:\n   \xef\x82\xb7   PIAs have not been completed or updated for all systems or customer surveys where\n       taxpayer or employee information have been collected and maintained.\n   \xef\x82\xb7   PIAs have not been posted to the IRS\xe2\x80\x99s public website.\n   \xef\x82\xb7   PIAs may not be completed and submitted for internal SharePoint collaboration sites.\n   \xef\x82\xb7   Privacy notices have not been posted on all external websites.\n   \xef\x82\xb7   Key PIA processes have not been documented in standard operating procedures.\n\n                                                                                            Page 3\n\x0c                                Improvements Are Needed to Ensure the\n                        Effectiveness of the Privacy Impact Assessment Process\n\n\n\nThe process to ensure that a PIA is completed, timely updated, and publicly\nposted for all required systems, collections of information, and collaborative sites\nis not effective\nThe PIA consists of a set of questions that help define how a system or collection of information\naffects taxpayer or IRS employee privacy and can help eliminate unanticipated weaknesses in a\nsystem when conducted during the planning and design phases. PIAs are required for\ninformation technology systems or projects that collect, maintain, or disseminate information\nabout members of the public as well as electronic collections of information that include 10 or\nmore persons. Additionally, PIAs are required to be performed and updated when a system\nchange creates new privacy risks. This includes conversions of paper-based records systems to\nelectronic systems, significant system management changes, and other system changes. To\ninitiate the PIA process, the Privacy Compliance office provides system owners with a\nquestionnaire to assess the system\xe2\x80\x99s privacy requirements and determine whether a major change\nhas occurred. The owners of the new or updated system and their Information Technology\norganization counterpart complete the PIA as part of the Security Assessment and Authorization\nthat is required for all systems.7 The system owners answer the PIA questions and submit results\nto the Privacy Compliance office for review and approval. In addition to the PIA for systems\nand applications, the Privacy Compliance office has prepared PIA templates for customer\nsurveys, internal collaboration websites, and third-party external websites.\nThe IRS did not complete PIAs for all computer systems\nThe IRS has not established an effective process to ensure that a PIA is completed for all\nrequired computer systems that store or process PII. The E-Government Act of 2002 requires\nagencies to conduct a PIA before developing or procuring information technology systems or\nprojects that collect, maintain, or disseminate information about members of the public or\ninitiating a new electronic collection of information for 10 or more persons. Systems that store\nor process PII without a PIA could adversely impact public assurance that personal information\nis being adequately protected. PIAs are also required to be performed and updated when a\nsystem change creates new privacy risks. System owners are supposed to use a Major Change\nDetermination template when recording system changes. Privacy Compliance office officials\ntold us they plan to revise this template to include system retirements and name changes.\nWe initially identified 582 systems or collections of information on the current production\nenvironment8 that did not match the list of PIAs maintained by the Privacy Compliance office.\nFrom the 582 systems or collections of information, we selected a judgmental sample9 of 30 and\n\n\n7\n  PIAs are part of the IRS information technology development process and should be completed for all new\nsystems.\n8\n  We used the IRS As-Built Architecture to identify these information systems and collections of information in the\ncurrent production environment. The current production environment includes applications and data stores.\n9\n  A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n                                                                                                            Page 4\n\x0c                            Improvements Are Needed to Ensure the\n                    Effectiveness of the Privacy Impact Assessment Process\n\n\n\nfound that 13 (43 percent) are storing or processing PII and thus require a PIA. The business\nrepresentatives for these 13 systems all told us that they were aware that these systems contained\nPII. When we raised this finding with Privacy Compliance office officials, they made a\nconcerted effort to evaluate all known systems and collections of information and eventually\ndetermined that 184 systems and collections of information required a PIA but one could not be\nlocated. Prior to our audit, the Privacy Compliance office had not established a process to\nreconcile the total inventory of systems with those for which a PIA has been completed. The\nPrivacy Compliance office completely relied on system owners to be fully aware of the details\nwithin the E-Government Act and the IRS PIA policy to complete PIAs.\nThe IRS did not update PIAs as required\nAccording to IRS policy, all systems shall be reauthorized to operate whenever the system\nundergoes a significant change or every three years, whichever occurs first. To align with this\nreauthorization requirement, the Privacy Compliance office policy requires all existing PIAs\nto be reviewed and updated every three years at a minimum. However, the IRS has not\nestablished an effective process to ensure that PIAs are timely updated for all required systems\nthat contain PII. Although the Privacy Compliance office maintains a PIA control listing for\nFiscal Years 2008 through 2012 and the PIAMS has been operational since December 2011,\nneither the control listing nor the PIAMS identifies whether PIAs have reached the threshold of\nthe mandatory three-year cycle for an update review. As a result, the Privacy Compliance office\nhas no assurance that all PIAs requiring an update review will receive one.\nWe identified 162 PIAs on the Fiscal Year 2008 control listing and determined that 56 PIAs have\nno record of an update on the subsequent years\xe2\x80\x99 PIA control records. Our review of a statistical\nsample of 20 of the 56 PIAs determined that 11 (55 percent) did not have a subsequent update as\nrequired. After we shared this finding with the Privacy Compliance office, we were informed\nthat a future enhancement to the PIAMS will provide the capability to identify PIAs that are\nnearing the three-year update threshold. Once implemented, this enhancement will help ensure\nthat PIAs are updated as required on an ongoing basis.\nThe IRS did not complete PIAs for all customer surveys\nCustomer surveys are an important and useful tool for the IRS to measure program effectiveness,\ncustomer satisfaction, and delivery of services, but care must be taken to collect, use, disclose, or\nshare PII during the survey process. The IRS has not established an effective process to ensure\nthat PIAs are completed for surveys when necessary. The IRS business divisions submit their\nsurveys to the Statistics of Income Division for review before sending them to the OMB for\napproval. However, the Statistics of Income Division did not review whether PII is being\ncollected or maintained, nor did it assess privacy implications of the survey. In addition, this\noffice did not share the survey with the Privacy Compliance office or require evidence of their\nreview prior to processing the survey for approval.\n\n\n                                                                                              Page 5\n\x0c                            Improvements Are Needed to Ensure the\n                    Effectiveness of the Privacy Impact Assessment Process\n\n\n\nAlthough the Privacy Compliance office provides a website that includes survey PIA guidance,\nthe survey owners determine whether they need to prepare and submit a PIA to the Privacy\nCompliance office for approval. We identified 130 IRS customer satisfaction surveys and\ncognitive research studies conducted during the period January 2011 to June 2012. The Privacy\nCompliance office received and processed only six survey PIAs during this time period. We\ndetermined that Privacy Compliance office personnel performed no reconciliation of surveys in\nits inventory and were not aware of the volume of IRS customer surveys. Further, the Privacy\nCompliance office has not developed a questionnaire for survey owners to assess their need for a\nPIA.\nAfter we shared this finding with the IRS, it began implementing a new process whereby the\nStatistics of Income Division will route copies of all survey submissions to the Privacy\nCompliance office for review beginning August 2012. Once received, a Privacy Compliance\noffice analyst will first review the survey within five business days to determine whether a PIA is\nnecessary. If so, the Privacy Compliance office will work with the business operating division\nanalysts within 15 business days to complete the PIA process and notify the Statistics of Income\nDivision so the survey package can be forwarded to the Department of the Treasury and the\nOMB for review and approval. The Statistics of Income Division will also provide the Privacy\nCompliance office with a monthly listing of all surveys submitted to the division so that the\nPrivacy Compliance office can verify that it reviewed all the survey submissions. On\nAugust 1, 2012, officials from the Privacy Compliance office and the Statistics of Income\nDivision established an agreement between the two offices to ensure that all surveys are\nidentified and reviewed for privacy requirements.\nPIAs were not posted publicly on the IRS website\nThe OMB directs that information systems and collections of information containing taxpayer\nPII require a PIA and, if practicable, that the agency make the PIA publicly available through its\nwebsite. The IRS, however, does not have an effective process to ensure that PIAs that contain\ntaxpayer information are posted to its public website. We identified 80 PIAs with taxpayer PII\nthat the IRS had not posted to its public website. These included 71 from the manual control\nlistings and nine completed in the PIAMS.\nFurther, the PIAMS does not have the capability to identify and route the appropriate PIAs for\neventual posting to the IRS public website, and the system does not have an alert to identify\nthose PIAs that have not been posted to the public website. Currently, the Privacy Compliance\noffice manually tracks PIAs through the website posting process, which is not effective. As a\nresult, the public has no information about the security of their information in these affected\nsystems or collections of information, and the IRS has therefore not complied with OMB\ninstructions.\n\n\n\n\n                                                                                            Page 6\n\x0c                            Improvements Are Needed to Ensure the\n                    Effectiveness of the Privacy Impact Assessment Process\n\n\n\nThe IRS has not completed PIAs for internal collaboration sites\nThe IRS increasingly relies on digital forms of communication for computer-based real-time\ncollaboration. Internal collaborative application websites (e.g., SharePoint) are established and\nconfigured for basic file sharing and team collaboration. These systems provide virtual space,\nenabling participants to communicate while also allowing for the sharing of applications and\ndocuments. Some of these features raise network and data security concerns and, therefore,\nproper security controls must be implemented.\nThe OMB requires the IRS to develop and implement PIA processes to ensure that a PIA is\nprepared for each system or collection of information that stores PII. Therefore, any SharePoint\nsite that stores PII is required to have a PIA, and the Privacy Compliance office correctly states\nthis requirement on its website. The Internal Revenue Manual, however, incorrectly states that\ncollaborative application sites such as SharePoint that are established and configured for basic\nfile sharing and team collaboration do not require a security authorization or a PIA. This\nerroneous statement in the Internal Revenue Manual may result in SharePoint site owners not\nsubmitting a PIA when PII is present, as required. The IRS has prepared a draft correction to the\nInternal Revenue Manual policy and has also included a reference to the Privacy Compliance\noffice website instructions for SharePoint. The IRS does not have adequate assurance that it is\ncomplying with the privacy provisions set forth by the OMB because PII could be stored on\nSharePoint sites for which a PIA has not been conducted.\nThe Privacy Compliance office has prepared a draft SharePoint PIA questionnaire template in\norder to help expedite the compliance process for IRS collaboration sites. Once published,\nSharePoint site collaboration administrators who know PII will be on their sites will be able to\nrespond to the template questions and forward the form to the Privacy Compliance office. The\nPrivacy Compliance office will use those template responses to assess and mitigate any privacy\nrisks. Sites without PII will not require a PIA. This will help facilitate the PIA determination\nprocess for SharePoint sites.\n\nRecommendations\nThe Director, PGLD, should:\nRecommendation 1: Investigate all 184 information systems and collections of information\nidentified and coordinate with system owners to complete the required PIAs.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The PGLD\n       organization stated it will determine which of these 184 systems require a PIA and\n       coordinate with system owners to receive the required PIAs by March 15, 2014.\nRecommendation 2: Establish a) an annual reconciliation process in which the PIA inventory\nis reconciled with all information systems and collections of information in the current\nproduction environment; b) the completion of the planned revisions to the Major Change\n\n                                                                                            Page 7\n\x0c                            Improvements Are Needed to Ensure the\n                    Effectiveness of the Privacy Impact Assessment Process\n\n\n\nDetermination template, which will help facilitate the annual reconciliation process; and c) a\nprocess to identify all completed and approved PIAs that have not been updated within three\nyears and coordinate with system owners to review and update these PIAs as required.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The PGLD\n       organization stated it has begun work on a PIA inventory reconciliation process and\n       completed the planned revisions to the Major Change Determination template. A process\n       will be added to the PIAMS to identify future PIAs that are not updated within three\n       years. Additionally, the PGLD organization is working on a manual process to identify\n       older PIAs, not yet in the PIAMS, which need to be updated. Once the outdated PIAs\n       have been identified, the PGLD organization will coordinate with system owners to\n       update these PIAs.\nRecommendation 3: Document its new PIA customer survey processes in the Internal\nRevenue Manual or on the PGLD organization website.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The PGLD\n       organization will document its new customer survey process in the Internal Revenue\n       Manual or on the PGLD organization website.\nRecommendation 4: Ensure that the 80 PIAs that TIGTA identified as well as any other\nPIAs currently not available to the public are redacted as necessary and posted to the IRS public\nwebsite.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The PGLD\n       organization conducted an analysis and posted nine of the 80 PIAs to the IRS public\n       website. In addition, the PGLD organization determined several PIAs do not require\n       posting for various reasons, such as 1) incomplete PIAs that were initially submitted but\n       never completed by the customers and 2) documents were not full PIAs but were\n       Qualifying Questionnaires or Major Change Determinations. The PGLD organization\n       stated it would redact and post approximately 20 PIAs to the IRS public website.\nRecommendation 5: Update the PIAMS with the functionality to automatically notify the\nPGLD organization and the IRS public website web master when actions are required on their\npart to process new or existing PIAs for public posting.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation and indicated\n       the action to address our recommendation was on the PIAMS project plan during our\n       audit. The PGLD organization also stated this recommendation was implemented on\n       November 29, 2012.\nRecommendation 6: Both a) ensure that the new PIA template for SharePoint sites is\ncompleted and published on the Privacy Compliance office website and b) issue a memorandum\nto all business operating divisions advising them of the PIA template for SharePoint sites.\n\n\n                                                                                            Page 8\n\x0c                                 Improvements Are Needed to Ensure the\n                         Effectiveness of the Privacy Impact Assessment Process\n\n\n\n           Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The PGLD\n           organization stated it is updating the SharePoint PIA template and applicable policy and\n           plans to issue an interim guidance memorandum to all business operating divisions\n           advising them of the PIA template for SharePoint sites.\n\nThe Privacy Compliance office has not established effective processes to ensure\nthat the IRS privacy notice is posted on third-party websites and to identify\nunauthorized websites\nThe OMB requires agencies, where feasible, to post their privacy notice on third-party websites\nand direct individuals to the agency\xe2\x80\x99s official website for their privacy policy. In addition, the\nOMB requires that the notice to be posted on the front page of the third-party website and that all\npractical steps be taken to ensure that the notice is conspicuous, salient, clearly labeled, written\nin plain language, and prominently displayed at all locations where the public might make PII\navailable to the IRS.\nThe IRS has not established an effective process to ensure compliance with the OMB\xe2\x80\x99s\nthird-party website requirement and to ensure that its privacy notice and a link to its privacy\npolicy is posted on public websites used by IRS officials. We traversed the Internet and\nidentified the following four unauthorized public websites that were created by IRS employees\nwithout the knowledge of the Privacy Compliance office.\n       1. Twitter IRS Recruiter59 \xe2\x80\x93 This site was created by an IRS Human Capital Office\n          employee to enable him or her to tweet about job announcements in the IRS.\n       2. Twitter IRS Careers \xe2\x80\x93 This site was also created by an IRS Human Capital office\n          employee to enable him or her to tweet information about careers in the IRS.\n       3. IRS LinkedIn \xe2\x80\x93 This site is used by current and former IRS employees to share\n          information. Once an individual is admitted access to the site, the new member can\n          invite and grant access to other members of the public. The public could post its personal\n          information on this site.\n       4. GovLoop \xe2\x80\x93 This site is a social network connecting Federal, State, and local government\n          innovators and a resource to connect with peers, share best practices, and find\n          career-building opportunities. One of the features of this site is blogging, where an IRS\n          Human Capital Office employee has communicated and discussed careers, retirement,\n          and other informational topics.\nWe informed the IRS about the four unauthorized websites, all of which were created before the\nIRS established its New Media Governance Council10 to approve third-party websites in\nDecember 2010. The two Twitter websites were created by employees in the IRS Human\n\n\n10\n     The New Media Governance Council is located within the Communication and Liaison Division at the IRS.\n                                                                                                        Page 9\n\x0c                            Improvements Are Needed to Ensure the\n                    Effectiveness of the Privacy Impact Assessment Process\n\n\n\nCapital office who were not official communicators handling official IRS media. The Privacy\nCompliance office took corrective action and both Twitter websites were deactivated in\nSeptember 2012. The IRS LinkedIn and GovLoop websites violate OMB policy because both\nallow the public to post PII but the IRS\xe2\x80\x99s privacy notice and a link to its privacy policy is not\nprovided on the websites. The Privacy Compliance office told us that the IRS LinkedIn and\nGovLoop websites did not contain PII and, therefore, a privacy notice was not required on these\nwebsites. However, during our review, we found information about IRS employees and other\nPII on these websites.\nThe Privacy Compliance office was not aware of the need to monitor the Internet for unapproved\nthird-party websites. Further, if the IRS privacy policy is not posted, the public might not be\naware of the risks of sharing PII on third-party websites. Taxpayers could be jeopardizing their\ninformation on these websites without the understanding that the IRS is not responsible for\nsecurity over these websites.\n\nRecommendations\nThe Director, PGLD, should:\nRecommendation 7: Issue a memorandum, in conjunction with the Communication and\nLiaison Division, to all IRS executives requesting they notify the New Media Governance\nCouncil with the details of any proposed third-party website activity for review and approval.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. To raise\n       awareness of the New Media Governance Council notification process, the PGLD\n       organization will coordinate with the Communications and Liaison Division to issue a\n       memorandum requesting IRS executives notify the New Media Governance Council of\n       any proposed third-party website activity for review and approval.\nRecommendation 8: Ensure that a process is implemented whereby the IRS a) monitors the\nInternet on a continual basis for unauthorized third-party websites and b) coordinates with\nwebsite owners to post the IRS privacy notice and a link to the IRS privacy policy on other\nthird-party and social media websites.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The PGLD\n       organization will partner with the Communications and Liaison Division to develop a\n       monitoring solution to detect unauthorized IRS social media sites. Through the New\n       Media Governance Council and the PIA process, the IRS will ensure that authorized\n       social media site owners post the required privacy notices.\n\nKey PIA processes are not documented in standard operating procedures\nAccording to the Government Accountability Office, assessing the effectiveness of internal\ncontrols includes a determination that written policies and procedures have been developed and\n\n                                                                                          Page 10\n\x0c                              Improvements Are Needed to Ensure the\n                      Effectiveness of the Privacy Impact Assessment Process\n\n\n\nare in place for all activities.11 Privacy Compliance office management has not ensured that\ncomplete and up-to-date written guidelines in the form of standard operating procedures have\nbeen prepared for the Privacy Compliance office analysts who perform assessment, review, and\nprocessing of PIAs submitted both manually and electronically through the PIAMS. During our\non-site observation of the PIA assessment and completion process, Privacy Compliance office\nanalysts prepared informal guidelines for TIGTA to follow for both the manual PIAs and those\nin the PIAMS due to the lack of formal written guidelines.\nThe PGLD organization identifies the roles and responsibilities for privacy, information\nprotection, and data security (including PIAs) in the Internal Revenue Manual, but these\nguidelines lack the granularity and specific detailed procedures for PIA assessment, review, and\nprocessing. The Internal Revenue Manual is the official source of procedures, guidelines,\npolicies, and delegations of authority relating to administration and operations, and subordinate\nprocedural guidance (standard operating procedures, desk procedures, etc.) is used to provide\ndetailed instructions for implementing and complying with the Internal Revenue Manual\nrequirements. Written standard operating procedures are important because Privacy Compliance\noffice analysts are responsible for a variety of critical tasks that include performing assessments\nof all PIAs submitted. If problems are identified with a PIA submission, the analysts notify and\ncommunicate with the system owners to assist them in making the necessary corrections. When\nthe assessment is completed and all data are correct, the analysts ensure that the PIAs receive\napproval by the Associate Director, Privacy Compliance. They also ensure that the approved\nPIAs get routed to the Disclosure office for redaction, when applicable, before eventual\npublication on the IRS public website. However, these important tasks are not detailed in\ncomplete and updated written guidelines. If the experienced analysts leave the Privacy\nCompliance office, there could be an adverse impact on the quality and timeliness of PIA\nprocessing.\n\nRecommendation\nRecommendation 9: The Director, PGLD, should ensure that current and complete standard\noperating procedures are established for all PIA processing procedures, including reviewing and\napproving PIAs, updating PIAs, and reconciling PIAs to other IRS system inventories.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The PGLD\n        organization has developed standard operating procedures for the PIA review process and\n        is currently drafting comprehensive PIA processing procedures.\n\n\n\n\n11\n  Government Accountability Office (formerly the General Accounting Office), GAO-01-1008G, Internal Control\nStandards: Internal Control Management and Evaluation Tool (Aug. 2001).\n                                                                                                   Page 11\n\x0c                            Improvements Are Needed to Ensure the\n                    Effectiveness of the Privacy Impact Assessment Process\n\n\n\nThe Privacy Impact Assessment Management System Does Not\nEffectively Automate Key Privacy Impact Assessment Processes\nThe purpose of the PIAMS is to allow IRS system owners to electronically input responses to\nquestions about PII to create required PIAs and then allow the Privacy Compliance office subject\nmatter experts the ability to analyze the data requirements for the systems in an electronic format\nrather than the paper-based format used previously. The PIAMS consists of a series of web\npages that allow IRS employees to input required PIAs online. The PIAMS also allows business\nowners and developers to enter their PIAs early in the development stage. Business owners of\nlegacy systems are also required to submit their PIAs via the PIAMS. According to stated\nsystem objectives, the PIAMS is supposed to facilitate a more efficient method of completing the\nPIA, replacing the manual paper-based process.\nWe found the PIAMS does not effectively automate the review component of the PIA process.\nPrivacy Compliance office management did not ensure that analysts, who are the subject matter\nexperts on PIAs, were fully involved in the establishment of the PIAMS processes. Additionally,\nthe PIAMS was not effectively tested by the system owners or the analysts who perform quality\nreviews of the assessments in the PIAMS. Privacy Compliance office analysts told us that they\nare not satisfied with PIAMS functionality and they still must perform some manual processes\nthat the PIAMS either does not complete effectively or does not have the capability to address.\nThe analysts simply do not consider the PIAMS to be more efficient than the manual PIA\nprocess that the system was intended to replace.\nBased on our observations and analyses, we came to the same conclusion. We identified several\nkey processes that were not effectively automated by the PIAMS. Examples include:\n   \xef\x82\xb7   The original manual PIA template allowed Privacy Compliance office analysts to easily\n       skim the system owners\xe2\x80\x99 answers to the 19 questions posed. However, the new electronic\n       PIA template in the PIAMS contains 32 questions in 11 separate sections and 27 different\n       computer screens online. Each screen must be viewed separately because the PIAMS\n       does not afford a scrolling feature. The Privacy Compliance office analysts told us they\n       print the entire PIA from the PIAMS before conducting their quality review, thereby\n       returning it to a manual process of review.\n   \xef\x82\xb7   The order of questions in the PIAMS template hinders the review of the PIA. For\n       example, a key question for determining the need for a PIA is whether the system under\n       review contains PII. In the PIAMS, this PII question is not asked until question eight of\n       32. Another key question regards whether a System of Records Notice is required for the\n       system and whether the system contains 10 or more records with PII. These answers are\n       not addressed until questions 30 and 31, respectively.\n   \xef\x82\xb7   Many of the electronic questions allow the system owner to input only simple yes or no\n       answers. However, the previous PIA template required the system owner to provide\n\n                                                                                           Page 12\n\x0c                           Improvements Are Needed to Ensure the\n                   Effectiveness of the Privacy Impact Assessment Process\n\n\n\n       narrative explanations and details to facilitate a more thorough understanding of the\n       system.\n   \xef\x82\xb7   The PIAMS does not always send e-mail notifications to the Privacy Compliance office\n       official who is required to approve the PIA after the Privacy Compliance office analyst\n       completes his or her review. Other important e-mail notifications are not always sent to\n       officials who are required to take actions, such as Disclosure office analysts who must\n       redact the PIA before it is posted to the IRS public website. These notifications currently\n       must be performed outside of the PIAMS.\nAt the request of the Privacy Compliance office, MITRE Corporation (MITRE) consultants met\nwith Privacy Compliance office officials in July 2012 and, in conjunction with analyst\nsuggestions, proposed PIAMS template changes. The analysts and MITRE regrouped, modified,\nand re-ordered the PIAMS questions to eliminate unnecessary information and reduce the level\nof effort required by the Privacy Compliance office reviewers. The revised questions include\nmore detailed selections replacing yes or no responses in some questions, and the original 32\nPIAMS questions are reduced to 22 questions with several sub-questions and better reporting\ncapability. We reviewed the MITRE results and believe they substantiate claims made by\nPrivacy Compliance office analysts that problems exist with the current state of the PIAMS.\n\nRecommendations\nThe Director, PGLD, should:\nRecommendation 10: Assess the recommended PIAMS template modifications submitted by\nMITRE, as well as the necessity, feasibility, and prioritization of the planned PIAMS updates\nlisted in the current project plan.\n       Management\xe2\x80\x99s Response: The IRS stated it independently took action on this\n       recommendation prior to our making the recommendation. The PGLD organization\n       stated that a team of IRS analysts and management, with MITRE\xe2\x80\x99s assistance, overhauled\n       the PIAMS template in response to user feedback. The PGLD organization also stated\n       the PIAMS template was rewritten and rearranged into an effective, comprehensive\n       electronic assessment of privacy risks. Lastly, the PGLD organization stated it\n       reprioritized several updates to the PIAMS based on customer feedback and its own\n       evaluations and will continue to do so.\n       Office of Audit Comment: We did not see evidence that the PIAMS template was\n       overhauled, rewritten, or rearranged to address the deficiencies that we and MITRE\n       identified. We continue to believe the PIAMS version, at the time of our review, could\n       be improved to ensure that PIA processes are more efficient than the manual PIA\n       processes the system was supposed to replace.\n\n\n                                                                                          Page 13\n\x0c                           Improvements Are Needed to Ensure the\n                   Effectiveness of the Privacy Impact Assessment Process\n\n\n\nRecommendation 11: Gather, document, and assess the system requirements from PGLD\norganization analysts and other officials who use the PIAMS and implement requirements\nchanges as necessary, and test newly implemented user requirements to ensure that the intended\nefficiency benefits are achieved.\n       Management\xe2\x80\x99s Response: The IRS stated it independently took action on this\n       recommendation prior to our making the recommendation. The PGLD organization\n       indicated that since November 2011 it has conducted information gathering on PIAMS\n       requirements from PGLD organization analysts and other users. In addition, the PGLD\n       organization stated it holds weekly PIAMS status update meetings with analysts, the\n       developer, and the Contracting Officer\xe2\x80\x99s Representative to ensure an effective process.\n       As a result of the meetings, the PGLD organization stated it implements changes to the\n       PIAMS as necessary and performs testing with the PGLD organization analysts and\n       customers.\n       Office of Audit Comment: The evidence we reviewed indicates the deficiencies in\n       the PIAMS resulted from a lack of requirements gathering and testing by the PGLD\n       organization analysts, who are the subject matter experts on PIAs. We continue to\n       believe the PIAMS version, at the time of our review, could be improved to effectively\n       automate the key privacy impact assessment processes.\n\n\n\n\n                                                                                        Page 14\n\x0c                                Improvements Are Needed to Ensure the\n                        Effectiveness of the Privacy Impact Assessment Process\n\n\n\n                                                                                                    Appendix I\n\n          Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to evaluate the IRS\xe2\x80\x99s processes to implement the OMB\nprivacy provisions of the E-Government Act of 2002.1 To accomplish our overall objective, we:\nI.       Determined whether the IRS has established effective policies, plans, and procedures to\n         ensure that a PIA2 is properly completed for each required system.\n         A. Evaluated the PIA policies, plans, and procedures to ensure compliance with the key\n            standards specified in OMB Memorandum M-03-22,3 including initial PIA\n            assessment, preparation, submission, quality review, approval, publication, and\n            updates.\n         B. Interviewed PGLD organization officials to identify the controls they implemented to\n            ensure that a PIA is completed and updated for all required systems.\n         C. Assessed the adequacy of the PIA determination process for surveys.\n         D. Evaluated processes to ensure that a PIA is completed for each SharePoint site that\n            stores PII.\n         E. Obtained downloads of the PIAs accounted for by the PGLD Privacy Compliance\n            office in the PIAMS and in Fiscal Years 2008 through 2012 PIA inventory manual\n            control listings.\n         F. Determined whether the PGLD Privacy Compliance office\xe2\x80\x99s processes ensure that a\n            PIA is completed for all systems that require a PIA.\n             1. Obtained a download of the IRS system inventories that contained a total of\n                823 systems.\n             2. Identified 582 systems in the inventories that did not match systems in the PIA\n                listings.\n\n\n\n\n1\n  Pub. L. No. 107-347 (2002), sec. 208.\n2\n  See Appendix IV for a glossary of terms.\n3\n  OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act\nof 2002, Public Law 107-347 (Sept. 2003). This guidance applies to all executive branch departments and agencies\nand their contractors that use information technology or operate websites for purposes of interacting with the public.\n                                                                                                             Page 15\n\x0c                                   Improvements Are Needed to Ensure the\n                           Effectiveness of the Privacy Impact Assessment Process\n\n\n\n                3. Selected a judgmental sample4 of 30 unmatched systems from the\n                   582 systems in Step I.F.2. to identify active systems that should have a PIA.\n                4. Interviewed the business representatives for the 30 unmatched systems in our\n                   judgmental sample and determined whether they were aware that a PIA was\n                   required based on the E-Government Act of 2002.\n                5. At the end of our fieldwork, we worked with IRS officials to cull down the\n                   number of systems needing a PIA from 582 to 184 systems.\n           G. Determined whether redacted copies of all PIAs are made available on the IRS.gov\n              public website, except where prohibited for security reasons.\n                1. Compared the PIAs posted on the IRS.gov public website to the PGLD\n                   organization\xe2\x80\x99s PIA control listings and the independent inventory listing to\n                   identify those not posted.\n                2. Determined the validity of the reasons for the PGLD organization not posting any\n                   PIAs to the IRS.gov public website.\n           H. Conducted an on-site observation of the PIAMS and the procedures performed by the\n              PGLD organization analysts who process and review the PIAs. We conducted a\n              manual reconciliation of all records in the PIAMS.\n           I. Determined whether PGLD organization processing ensures that PIAs are properly\n              approved, current, complete, accurate, and in compliance with OMB and\n              E-Government Act provisions.\n                1. Selected a statistical sample of 25 PIAs from the PIA listings and 18 PIAMS PIAs\n                   based on a \xc2\xb15 percent precision rate, 2 percent error rate, and 95 percent\n                   confidence level. We also judgmentally selected three surveys and one social\n                   media PIAs.\n                2. Selected a statistical sample of 20 Fiscal Year 2008 PIAs with no three-year\n                   update, based on a \xc2\xb15 percent precision rate, 2 percent error rate, and 95 percent\n                   confidence level.\n                3. Determined whether the selected PIAs were properly approved, complete, and\n                   accurate and whether the PIA answered the required questions that define how a\n                   system affects taxpayer or IRS employee privacy.\nII.        Determined whether the IRS posted a privacy policy on their public third-party websites\n           and whether the policy complies with OMB requirements.\n\n\n\n4\n    A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n                                                                                                               Page 16\n\x0c                            Improvements Are Needed to Ensure the\n                    Effectiveness of the Privacy Impact Assessment Process\n\n\n\nIII.   Determined whether the IRS submitted required privacy information in Fiscal Year 2011\n       to the Department of the Treasury, based on the updated reporting requirements for the\n       Federal Information System Management Act, Section D, Senior Agency Official for\n       Privacy report.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: OMB Memorandum M-03-22, OMB\nGuidance for Implementing the Privacy Provisions of the E-Government Act of 2002; the\nDepartment of the Treasury\xe2\x80\x99s Publication 25-07, Privacy Impact Assessment Manual (dated\nAugust 2008); and related Internal Revenue Manual guidelines and processes followed by the\nIRS to implement the privacy provisions of the E-Government Act of 2002. We evaluated these\ncontrols by interviewing IRS officials in the PGLD office and other IRS offices that have duties\nand responsibilities for implementing the privacy provisions. We also analyzed pertinent\ndocumentation and observed the operation of the PIAMS.\n\n\n\n\n                                                                                         Page 17\n\x0c                           Improvements Are Needed to Ensure the\n                   Effectiveness of the Privacy Impact Assessment Process\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent T. Sagara, Director\nW. Allen Gray, Audit Manager\nJena R. Whitley, Acting Audit Manager\nGeorge L. Franklin, Lead Auditor\nMidori Ohno, Senior Auditor\nSam Mettauer, Information Technology Specialist\n\n\n\n\n                                                                                     Page 18\n\x0c                          Improvements Are Needed to Ensure the\n                  Effectiveness of the Privacy Impact Assessment Process\n\n\n\n                                                                            Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDirector, Office of Research, Analysis, and Statistics RAS\nDirector, Office of Privacy, Governmental Liaison, and Disclosure OS:P\nAssociate Chief Information Officer, Enterprise Operations OS:CTO:EO\nAssociate Chief Information Officer, User and Network Services OS:CTO:UNS\nDirector, Privacy and Information Protection, OS:P:PIP\nChief Counsel CC\nNational Taxapayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Office of Privacy, Governmental Liaison, and Disclosure OS:P\n       Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                                  Page 19\n\x0c                           Improvements Are Needed to Ensure the\n                   Effectiveness of the Privacy Impact Assessment Process\n\n\n\n                                                                               Appendix IV\n\n                               Glossary of Terms\n\nTerm                            Definition\n\nAs-Built Architecture           An integral part of the IRS\xe2\x80\x99s Enterprise Architecture dedicated\n                                to documenting the Current Production Environment\n                                (applications, data stores, infrastructure, data interfaces) and\n                                related organizations, locations, technology platforms, etc.\nFederal Information Security    A part of the E-Government Act of 2002 that consolidates\nManagement Act                  many security requirements and guidance into an overall\n                                framework for managing information security.\nFiscal Year                     A 12-consecutive-month period ending on the last day of any\n                                month, except December. The Federal Government\xe2\x80\x99s fiscal\n                                year begins on October 1 and ends on September 30.\nInformation Technology          Any equipment or interconnected system or subsystem of\n                                equipment that is used in the automatic acquisition, storage,\n                                manipulation, management, movement, control, display,\n                                switching, interchange, transmission, or reception of data or\n                                information by an executive agency.\nInternal Revenue Manual         The single, official source of IRS instructions to staff.\n                                Instructions to staff are procedures, guidelines, policies, and\n                                delegations of authority and other such instructional materials\n                                relating to the administration and operation of the IRS.\nMITRE Corporation (MITRE)       Hired by the IRS as a Federally Funded Research and\n                                Development Center to assist with the systems modernization\n                                effort.\nNew Media Governance            Serves as an advisory body for oversight and coordination and\nCouncil                         for providing input and guidance on major decisions relating\n                                to development and implementation of new media channels.\n\n\n\n\n                                                                                        Page 20\n\x0c                           Improvements Are Needed to Ensure the\n                   Effectiveness of the Privacy Impact Assessment Process\n\n\n\n\nTerm                         Definition\n\nOffice of Management and     The OMB\xe2\x80\x99s predominant mission is to assist the President in\nBudget (OMB)                 overseeing the preparation of the Federal budget and to\n                             supervise administration in Executive Branch agencies. The\n                             OMB evaluates the effectiveness of agency programs,\n                             policies, and procedures. The OMB oversees and coordinates\n                             the Administration\xe2\x80\x99s procurement, financial management,\n                             information, and regulatory policies.\nOffice of Privacy,           The mission of the PGLD organization is to preserve and\nGovernmental Liaison, and    enhance public confidence by advocating for the protection\nDisclosure (PGLD)            and proper use of identity information. The PGLD\n                             organization consists of five offices: Governmental Liaison\n                             and Disclosure; Office of Safeguards; Online Fraud Detection\n                             and Prevention; Privacy and Information Protection; and\n                             Program and Planning Support.\nPersonally Identifiable      Information that can be used to distinguish or trace an\nInformation (PII)            individual\xe2\x80\x99s identity, either alone or when combined with\n                             other personal or identifying information that is linked or\n                             linkable to a specific individual.\nPrivacy Impact Assessment    An analysis of how information is handled: (1) to ensure that\n(PIA)                        handling conforms to applicable legal, regulatory, and policy\n                             requirements regarding privacy; (2) to determine the risks and\n                             effects of collecting, maintaining, and disseminating\n                             information in identifiable form in an electronic information\n                             system; and (3) to examine and evaluate protections and\n                             alternative processes for handling information to mitigate\n                             potential privacy risks.\nPrivacy Impact Assessment    A series of web pages that allows customers to input responses\nManagement System (PIAMS)    to questions about PII. The PIAMS also allows the Privacy\n                             subject matter experts the ability to analyze the data\n                             requirements for the particular system in an electronic format.\n\n\n\n\n                                                                                      Page 21\n\x0c                           Improvements Are Needed to Ensure the\n                   Effectiveness of the Privacy Impact Assessment Process\n\n\n\n\nTerm                            Definition\n\nPrivacy Notice                  A brief description of how the agency\xe2\x80\x99s privacy policy will\n                                apply in a specific situation. The privacy notice should notify\n                                individuals before they engage with an agency and should be\n                                provided on the specific web page or application where\n                                individuals have the opportunity to make PII available to the\n                                agency.\nPrivacy Policy                  A single, centrally located statement about an agency\xe2\x80\x99s\n                                general privacy practices that is accessible from an agency\xe2\x80\x99s\n                                official homepage. It should be a consolidated explanation of\n                                the agency\xe2\x80\x99s general privacy-related practices that pertain to\n                                its official website and its other online activities.\nSenior Agency Official for      The Director, PGLD, serves as the IRS Senior Agency Official\nPrivacy                         for Privacy, having overall responsibility for accounting to the\n                                Department of the Treasury, the OMB, and other regulatory\n                                agencies regarding the IRS\xe2\x80\x99s implementation of information\n                                privacy protections, including full compliance with Federal\n                                laws, regulations, and policies relating to information\n                                protection.\nStatistics of Income Division   The mission of the Statistics of Income Division is to collect,\n                                analyze, and disseminate information on Federal taxation for\n                                the Department of the Treasury\xe2\x80\x99s Office of Tax Analysis,\n                                congressional committees, the IRS in its administration of the\n                                tax laws, other organizations engaged in economic and\n                                financial analysis, and the general public.\nSystem of Records Notice        The Privacy Act requires publication of a System of Records\n                                Notice in the Federal Register for all Systems of Records in\n                                the agency for which personal information about individuals is\n                                retrieved by unique individual identifiers.\nThird-Party Website             Web-based technologies that are not exclusively operated or\n                                controlled by a Government entity and often are not part of an\n                                official Government domain.\n\n\n\n\n                                                                                        Page 22\n\x0c             Improvements Are Needed to Ensure the\n     Effectiveness of the Privacy Impact Assessment Process\n\n\n\n                                                   Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 23\n\x0c        Improvements Are Needed to Ensure the\nEffectiveness of the Privacy Impact Assessment Process\n\n\n\n\n                                                    Page 24\n\x0c        Improvements Are Needed to Ensure the\nEffectiveness of the Privacy Impact Assessment Process\n\n\n\n\n                                                    Page 25\n\x0c        Improvements Are Needed to Ensure the\nEffectiveness of the Privacy Impact Assessment Process\n\n\n\n\n                                                    Page 26\n\x0c        Improvements Are Needed to Ensure the\nEffectiveness of the Privacy Impact Assessment Process\n\n\n\n\n                                                    Page 27\n\x0c        Improvements Are Needed to Ensure the\nEffectiveness of the Privacy Impact Assessment Process\n\n\n\n\n                                                    Page 28\n\x0c        Improvements Are Needed to Ensure the\nEffectiveness of the Privacy Impact Assessment Process\n\n\n\n\n                                                    Page 29\n\x0c'